b'FEDERAL TRADE COMMISSION\n OFFICE OF INSPECTOR GENERAL\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS\n\n\n   April 1, 2004 - September 30, 2004\n\n\n\n\n               Report #31\n\x0c\x0c                                                 TABLE OF CONTENTS\n\n\n\n\nTRANSMITTAL                                                                                                                     Page\n\nINTRODUCTION ...........................................................................................................        1\n\nAUDIT ACTIVITIES ......................................................................................................         1\n  Completed Audits .....................................................................................................        1\n  Summary of Findings for Reviews Issued During the Current Period ......................                                       2\n  Audits in Which Fieldwork is In Progress .................................................................                    4\n  Planned Audits ...........................................................................................................    6\n\nINVESTIGATIVE ACTIVITIES ....................................................................................                   7\n  Investigative Summary ...............................................................................................         7\n  Matters Referred for Prosecution ...............................................................................              8\n\nOTHER ACTIVITIES .....................................................................................................          8\n  Significant Management Decisions ............................................................................                 8\n  Access to Information ................................................................................................        8\n  Internet Access ...........................................................................................................   9\n  Audit Resolution .........................................................................................................    9\n  Review of Legislation ................................................................................................        9\n  Contacting the Office of Inspector General ...............................................................                    9\n\nTABLES\n  Table I: Summary of Inspector General Reporting Requirements...........................                                       10\n  Table II: Inspector General Issued Reports With Questioned Costs..........................                                    11\n  Table III: Inspector General Issued Reports With Recommendations That\n              Funds Be Put To Better Use .....................................................................                  12\n\x0c                                      INTRODUCTION\n\n        The Federal Trade Commission (FTC) seeks to assure that the nation\xe2\x80\x99s markets are\ncompetitive, efficient, and free from undue restrictions. The FTC also seeks to improve the\noperation of the marketplace by ending unfair and deceptive practices, with emphasis on those\npractices that might unreasonably restrict or inhibit the free exercise of informed choice by\nconsumers. The FTC relies on economic analysis to support its law enforcement efforts and to\ncontribute to the economic policy deliberations of Congress, the Executive Branch and the\npublic.\n\n       To aid the FTC in accomplishing its consumer protection and antitrust missions, the\nOffice of Inspector General (OIG) was provided five work years and expended approximately\n$710,000 for Fiscal Year 2004.\n\n                                    AUDIT ACTIVITIES\n\n        During this semiannual period, the OIG issued an audit of the FTC\xe2\x80\x99s transit subsidy\nprogram and an audit of the implementation of an agreement with the United States Agency for\nInternational Development (USAID) to provide technical assistance to developing countries.\nThe OIG also completed its fourth annual audit of information security pursuant to requirements\ncontained in the Federal Information Security Management Act (FISMA). The OIG also began\nan audit of the FTC\xe2\x80\x99s Financial Statements for FY 2004 and a survey of select aspects of the\nnational Do-Not-Call registry. Detailed information regarding these audits and reviews is\nprovided below.\n\n                                      Completed Audits\n\nAudit Report Number                                  Subject of Audit\n      AR 04-059                     Audit of the FTC\xe2\x80\x99s Transit Subsidy Program\n                                    for Fiscal Year 2003\n\n       AR 04-060                    Review of FTC\xe2\x80\x99s Management of Funds Transferred\n                                    from the United States Agency for International\n                                    Development in Fiscal Year 2003 for Technical\n                                    Assistance to Developing Countries\n\n       AR 04-061                    Office of Inspector General Independent Evaluation\n                                    of FTC Implementation of the Federal Information\n                                    Security Management Act for FY 2004\n\n       AR 04-061A                   Executive Summary: Federal Information Security\n                                    Management Act\n\n\n\n\n                                             -1-\n\x0c            Summary of Findings for Reviews Issued During the Current Period\n\n        In AR 04-059, Audit of the FTC\xe2\x80\x99s Transit Subsidy Program for Fiscal Year 2003, the\nobjective of the audit was to determine whether controls were in place to ensure that (i)\nDepartment of Transportation (DOT) accurately billed the FTC for the subsidy its contractors\ndistributed to agency staff; (ii) transit subsidy payments were properly reflected on the agency\xe2\x80\x99s\nbooks and records and that all monthly adjustments were properly accounted for; (iii) employees\nwere following program guidelines when calculating their monthly subsidy request and received\nonly the amount of subsidy authorized under the program; and (iv) only eligible authorized\nagency staff received a subsidy.\n\n         The OIG determined that the agency was accurately billed for the subsidy provided to\nFTC employees through the DOT, and that these amounts were accurately reflected in the\nagency\xe2\x80\x99s budgetary accounts. However, the OIG identified duplicate subsidies paid to six FTC\nstaff in select months. After satisfying ourselves that FTC staff were not implicated in any\nwrongdoing (i.e., no staff received more than one duplicate payment) the OIG referred the\nfinding to the program coordinator for followup with DOT staff to identify and correct\nweaknesses in controls that permitted these duplicate payments.\n\n        While the program costs are accurately reflected in the agency\xe2\x80\x99s financial records, the\nOIG found that the agency is slightly over-subsidizing a significant number of its staff. The\napplication form used by all staff to enroll in the program provides for a maximum monthly\nsubsidy assuming no leave is taken by the employee. To arrive at a correct subsidy amount, the\nprocess requires employees to perform monthly adjustments. Failure to perform such\ncalculations is rewarded with a full subsidy. While employees are asked to make monthly\nadjustments for leave resulting in a reduction to their base subsidy, the OIG found that most\nemployees do not make such adjustments, resulting in an OIG-estimated over payment to the\nagency\xe2\x80\x99s 700 plus subsidy recipients of between $30,000 and $50,000 annually.\n\n        Finally, the OIG performed steps to identify fraud, as required by Government Auditing\nStandards. Tests performed by the OIG in high risk areas did not identify any instances of fraud\nin the program.\n\n        The OIG believes that shortcomings inherent in the current transit subsidy program can\nbe effectively addressed by redesigning the application form to consider likely leave usage when\nthe base monthly subsidy is originally calculated. Based on years of service and agency\nsick/annual leave averages, employees need only make appropriate adjustments one time, e.g.,\nwhen completing the application. The advantages of this approach are threefold: it would (i)\neliminate the need for agency employees to recalculate their monthly subsidy entitlement, (ii)\nsubstantially reduce after-the-fact review costs by management to ensure compliance, and (iii)\nsave the agency a significant sum of money.\n\n        The OIG provided management with one possible calculation approach that, if adopted,\nwould provide employees with a far more accurate estimate of the subsidy amounts they would\nbe entitled to over a year\xe2\x80\x99s time. The calculation considers, in addition to holidays, annual and\nsick leave, along with some administrative leave usage. If such an approach was taken to\n\n                                               -2-\n\x0cdevelop the original subsidy amount, employees would only need to make adjustments for\nextraordinary events, such as extended travel and/or sick leave.\n\n        In AR 04-060, Review of FTC\xe2\x80\x99s Management of Funds Transferred from the United\nStates Agency for International Development in Fiscal Year 2003 for Technical Assistance to\nDeveloping Countries, the objectives of the audit were to determine whether, for fiscal year\nending 9/30/03, the payroll and other related program costs charged against USAID funds were\n(i) supported by approved documentation, and that these allocations appeared proper and\nreasonable; and (ii) used only for the purposes stipulated by USAID in formal agreements with\nthe FTC.\n\n       The review was undertaken pursuant to requirements contained in H. J. Res. 2, the\nConsolidated Appropriations Resolution, 2003 (P.L. 108-7). Section 509(d) of the Appropriations\nAct requires that any agreement entered into by USAID with another agency must include periodic\nfinancial and program audits of the transferred funds by that agency\xe2\x80\x99s Office of Inspector General.\n\n        In complying with this new mandate, the OIG found that, for items selected for review,\nprocedures were in place to allocate costs among USAID programs consistently and correctly, and\nthat funds were spent in compliance with the agreements between USAID and the FTC for the\nperiod reviewed. The OIG found only a few instances where some costs were incorrectly coded\ninto the accounting system despite program staff\xe2\x80\x99s proper classification of these expenses. The\nOIG also noted that the agency lacks a policy to allocate airfare in select circumstances.\n\n        In AR 04-061, OIG Evaluation of FTC Implementation of the Federal Information Security\nManagement Act (FISMA) for FY 2004, the review objectives were to assess compliance with\nFISMA and related information security policies, procedures, standards and guidelines, and to test\ntheir effectiveness on a representative subset of the agency\xe2\x80\x99s information systems. Specifically, this\nreview (1) evaluated the implementation of the FTC\xe2\x80\x99s information security program; (2) assessed\nagency progress towards correcting weaknesses addressed within the 2004 Plan of Action and\nMilestones (POA&M); (3) verified and tested information security and access controls for the\nGeneral Support System, the Federal Financial System and the Premerger System, and (4)\nevaluated FTC\xe2\x80\x99s recently-established vulnerability assessment scanning and remediation program.\n\n        The FTC continues to make progress in developing a mature information security program,\nand has implemented or addressed many of the OIG-identified security vulnerabilities discussed in\nthe prior year evaluation. For example, the FTC (i) certified and accredited (C&A) one Major\nApplication and one General Support system by the close of fieldwork, and planned to complete\nC&A\xe2\x80\x99s on all remaining systems by fiscal year end; (ii) made significant improvements in the\nPOA&M tracking and reporting process; (iii) developed policies and procedures that addressed\nvarious security issues; and (iv) developed a scanning and remediation program for system\nvulnerabilities. As importantly, management appears to be tailoring its security approach to\nconform to procedures and guidance issued by the National Institute of Standards and Technology\n(NIST), the Federal Government\xe2\x80\x99s recognized IT security expert.\n\n       In addition to numerous technical improvements, FTC also made selected structural\nimprovements. As of mid-June 2004, the ITM Operations Section assumed responsibility for all\nproduction systems. Prior to this time and contrary to recommended industry practices, developers\n\n                                                 -3-\n\x0chad substantial privileges on production applications and data. Software is being secured in a\nlocked room and all new and revised hardware and software are authorized, tested, and approved\nprior to implementation. Finally, default system passwords have been changed and Change\nManagement procedures are now in use to manage and track system changes.\n\n         While the agency has made many needed changes and improvements in its IT security\nprogram, the OIG has also identified some new vulnerabilities that could impact the overall\neffectiveness of the IT security program. The Office of Management and Budget (OMB), in FY\n2004 FISMA reporting guidance, has instructed OIG\xe2\x80\x99s to distinguish these vulnerabilities based on\nthe level of risk they represent to the agency\xe2\x80\x99s ability to safeguard its information. Specifically,\nOMB uses the category \xe2\x80\x9csignificant deficiency\xe2\x80\x9d to refer to a weakness in an agency\xe2\x80\x99s overall\ninformation security program or management control structure, or within one or more information\nsystems, that significantly restricts the capability of the agency to carry out its mission, or\ncompromises the security of its information, information systems, personnel, or other resources,\noperations or assets. Immediate corrective action must be taken. Somewhat lower on the scale of\nurgency are \xe2\x80\x9creportable conditions,\xe2\x80\x9d or security or management control weaknesses that do not\nrise to the level of a significant deficiency, yet are still sufficiently important to be reported to\ninternal management.\n\n        For FY 2004, unlike in prior years, the OIG found no significant deficiencies in the FTC\xe2\x80\x99s\noverall information security program. Yet, we did identify a number of reportable conditions, many\nof which ITM management is now in the process of addressing. For example, ITM needed to make\nchanges to several security-related policies and procedures to bring them in line with OMB, NIST\nand security best practices.\n\n        The OIG also identified selected weaknesses in ITM\xe2\x80\x99s ability to control access to data.\nSpecifically, the evaluation team found a few former employees who still had active network\naccounts months after leaving the agency. In addition, some current employees who transferred to\ndifferent positions within the agency did not routinely lose their access to formerly-needed data.\nThe OIG provided the names of individuals to the appropriate staff within ITM for removal from\nthe network or from select databases.\n\n                           Audits in Which Field Work is In Progress\n\nAudit Report Number                                      Subject of Review\n  AR05-XXX                            Audit of the FTC\xe2\x80\x99s Financial Statements for Fiscal Year\n                                      2004 The purpose of the audit is to express an opinion on the\n                                      financial statements of the Federal Trade Commission for the\n                                      fiscal year ending September 30, 2004. The principal\n                                      statements to be audited include the (a) Balance Sheet; (b)\n                                      Statement of Net Cost; (c) Statement of Changes in Net\n                                      Position; (d) Statement of Budgetary Resources; (e) Statement\n                                      of Financing; (f) Statement of Custodial Activity, and notes to\n                                      the financial statements. The OIG will also test the internal\n\n                                                -4-\n\x0c                      controls associated with the movement of transactions through\n                      the FTC\xe2\x80\x99s financial system, and assess compliance with\n                      selected laws and regulations.\n\n                      The OIG will use guidance contained in OMB Bulletin No.\n                      01-02, Audit Requirements for Federal Financial Statements,\n                      in performing this audit. This year, the audited financial\n                      statements are required to be included in the financial section\n                      of the agency\xe2\x80\x99s Performance and Accountability Report to be\n                      issued on or before November 15, 2004.\n\nAudit Report Number\n  AR05-XXX            Survey of Do-Not Call Registry Removal Procedures\n                      The OIG has learned of a small number of consumers\n                      claiming to have been inadvertently removed from the Do-\n                      Not-Call Registry without their knowledge or consent. DNC\n                      officials informed the OIG that on occasion, when a caller\n                      makes changes to his/her phone service the local companies\n                      might mistakenly identify such requests as a disconnect. In\n                      turn, when the agency\xe2\x80\x99s contractor routinely scrubs the\n                      registry, it might inadvertently identify such numbers as\n                      disconnects and removes them from the DNC registry.\n\n                      The objective of this survey is to determine whether registered\n                      consumers are being properly removed from the registry, and\n                      if not, what is the reason for their removal. To complete this\n                      objective, the OIG will (i) verify that the information the\n                      contractor provides to the FTC monthly on the number of\n                      disconnects and deletions is complete and accurate; (ii)\n                      document criteria used to remove numbers from the registry,\n                      (iii) define the role played by local phone companies in the\n                      removal process, (iv) determine whether the removals were\n                      made for reasons that are in keeping with contractual\n                      agreements and program objectives, and (v) analyze and\n                      explain any discrepancies.\n\n\n\n\n                                -5-\n\x0c                              Planned Audits\n\n  Audit Report Numbers                  Subject Review\n    AR05-XXX             Review of Annual Performance Measures Under the\n                         Government Performance and Results Act Under the\n                         Government Performance and Results Act of 1993 ("GPRA"),\n                         virtually every federal agency is required to develop a five-\n                         year strategic plan, an annual performance plan and\n                         performance measures to assess how well the agency is\n                         meeting its performance objectives. Like many other\n                         agencies, the FTC strives to capture all of the activities that\n                         FTC staff perform to achieve the agency\'s mission.\n\n                         On an annual basis, the OIG reviews the agency\xe2\x80\x99s\n                         performance measures to determine whether systems are in\n                         place to accurately capture this information for external\n                         reporting. The OIG plans to expand the scope of the required\n                         review in a separate effort to look at whether selected\n                         measures (i) are relevant to the agency\xe2\x80\x99s missions; (ii) cover\n                         the work of all direct enforcement staff ; and (iii) are correctly\n                         matched to current year budgetary resources.\n\nAR 05-XXX                Review of Assistance Provided to FTC Regional Offices\n                         The Federal Trade Commission maintains a regional presence\n                         with offices in seven geographical areas across the country.\n                         Together, FTC\xe2\x80\x99s Regional office operations consume\n                         approximately 15 to 20 percent of agency resources.\n\n                         The objectives of this review are twofold. First, the OIG will\n                         evaluate the manner in which the FTC regional offices\n                         manage operational and administrative responsibilities, and\n                         maintain a system of internal controls in areas including, but\n                         not limited to (i) time and attendance reporting, (ii)\n                         procurement, (iii) property management, (iv) use of experts\n                         and consultants, (v) contract administration, and (vi) physical\n                         and information security. Each will be reviewed in\n                         accordance with the FTC Administrative Manual, GSA\n                         policy, and Department of Treasury requirements. Second,\n                         the OIG will also assess how well the FTC central offices,\n                         located in Washington DC, are supporting the regional\n                         offices. Specifically, the OIG will interview administrative,\n                         enforcement and management staff to obtain their views on\n                         the quality, timeliness and sufficiency of support provided by\n                         headquarters personnel.\n\n                                    -6-\n\x0c                                   INVESTIGATIVE ACTIVITIES\n\n        The Inspector General is authorized by the IG Act to receive and investigate allegations of\nfraud, waste and abuse occurring within FTC programs and operations. Matters of possible\nwrongdoing are referred to the OIG in the form of allegations or complaints from a variety of\nsources, including FTC employees, other government agencies and the general public.\n\n        Reported incidents of possible fraud, waste and abuse can give rise to administrative, civil\nor criminal investigations. OIG investigations might also be initiated based on the possibility of\nwrongdoing by firms or individuals when there is an indication that they are or were involved in\nactivities intended to improperly affect the outcome of particular agency enforcement actions.\nBecause this kind of wrongdoing strikes at the integrity of the FTC\'s consumer protection and\nantitrust law enforcement missions, the OIG places a high priority on investigating it.\n\n        In conducting criminal investigations during the past several years, the OIG has sought\nassistance from, and worked jointly with, other law enforcement agencies, including other OIG\xe2\x80\x99s,\nthe Federal Bureau of Investigation (FBI), the U.S. Postal Inspection Service, the U.S. Secret\nService, the U.S. Marshal\xe2\x80\x99s Service, the Internal Revenue Service, Capitol Hill Police, as well as\nstate agencies and local police departments.\n\n                                         Investigative Summary\n\n       During this reporting period, the OIG received 128 complaints/allegations of possible\nwrongdoing. Of the 128 complaints, 87 involved issues that fall under the jurisdiction of FTC\nprogram components (identity theft, credit repair, etc.). Consequently, the OIG referred these\nmatters to the appropriate FTC component for disposition. Another 18 complaints were referred to\nother government and/or law enforcement agencies for ultimate disposition.\n\n        Of the remaining 23 complaints, 17 were closed without any action and 4 are still under\nreview while the OIG obtains additional information to determine whether they warrant a full\ninvestigation. The two remaining complaints are matters that are now under investigation by the\nOIG.\n\n      Following is a summary of the OIG\'s investigative activities for the six-month period ending\nSeptember 30, 2004.\n\n               Cases pending as of 3/31/04..........................       5\n                      Plus: New cases.................................    +2\n                      Less: Cases closed.............................     (1)\n               Cases pending as of 9/30/04.............................    6\n\n\n         During the current period the OIG opened an investigation into possible wrongdoing by a\nstaff attorney after receiving a security violations report from the Information Technology\n\n                                                      -7-\n\x0cManagement Office. The report indicated that, in violation of agency policy, the employee had\nvisited pornographic websites and downloaded pornographic images onto his FTC computer. The\nOIG obtained the employee\xe2\x80\x99s hard drive and sought assistance from the FBI forensic unit that\nspecializes in the identification of child pornography. After jointly reviewing the downloaded\nmaterial it was determined that the hard drive contained only adult content material and thus did not\nsupport referral to a prosecutor. The OIG informed management of its findings and closed the case.\nManagement recommended a 30 day suspension without pay as disciplinary action for the\nemployee\xe2\x80\x99s violation of agency computer and internet use policy.\n\n                                 Matters Referred for Prosecution\n\n     During the current reporting period the OIG did not refer any cases to a federal prosecutor.\nHowever, the OIG consulted with a prosecutor on two investigations.\n\n                                      OTHER ACTIVITIES\n\n                                Significant Management Decisions\n\n        Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any\nsignificant management decision, such disagreement must be reported in the semiannual report.\nFurther, Section 5(a)(11) of the Act requires that any decision by management to change a\nsignificant resolved audit finding must also be disclosed in the semiannual report. For this\nreporting period there were no significant final management decisions made on which the IG\ndisagreed and management did not revise any earlier decision on an OIG audit recommendation.\n\n                                       Access to Information\n\n        The IG is to be provided with ready access to all agency records, information, or assistance\nwhen conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the IG to report\nto the agency head, without delay, if the IG believes that access to required information, records, or\nassistance has been unreasonably refused, or otherwise has not been provided. A summary of each\nreport submitted to the agency head in compliance with Section 6(b)(2) must be provided in the\nsemiannual report in accordance with Section 5(a)(5) of the Act.\n\n       During this reporting period, the OIG did not encounter any problems in obtaining assistance\nor access to agency records. Consequently, no report was issued by the IG to the agency head in\naccordance with Section 6(b)(2) of the IG Act.\n\n\n\n\n                                                 -8-\n\x0c                                           Internet Access\n\n        The OIG can be accessed via the Internet at: http://www.ftc.gov/oig. A visitor to\nthe OIG home page can download recent (1996-2004) OIG semiannual reports to Congress, the FY\n1998 - 2003 financial statement audits, and other program and performance audits issued beginning\nin FY 1999. A list of audit reports issued prior to FY 1999 can also be ordered via an e-mail link to\nthe OIG. In addition to this information resource about the OIG, visitors are also provided a link to\nother federal organizations and office of inspectors general.\n\n                                          Audit Resolution\n\n        As of the end of this reporting period, all OIG audit recommendations for reports issued in\nprior periods have been resolved. That is, management and the OIG have reached agreement on\nwhat actions need to be taken.\n\n                                        Review of Legislation\n\n        Section 4(a)(2) of the IG Act authorizes the IG to review and comment on proposed\nlegislation or regulations relating to the agency or upon request affecting the operations of the OIG.\nDuring this reporting period, the OIG provided comments to the PCIE/ECIE on matters concerning\nexpanded law enforcement authority for ECIE OIG\xe2\x80\x99s.\n\n                            Contacting the Office of Inspector General\n\n       Employees and the public are encouraged to contact the OIG regarding any incidents of\npossible fraud, waste, or abuse occurring within FTC programs and operations. The OIG telephone\nnumber is (202) 326-2800. To report suspected wrongdoing, employees and the public should call\nthe OIG\'s investigator directly on (202) 326-2618. A confidential or anonymous message can be left\n24 hours a day. Complaints of allegations of fraud, waste or abuse can also be email directly to\nchogue@ftc.gov.\n\n       The OIG is located in Suite 1110, 601 New Jersey Avenue, Washington, D.C. Office hours\nare from 8:00 a.m. to 6:00 p.m., Monday through Friday, except federal holidays. Mail should be\naddressed to:\n\n                              Federal Trade Commission\n                              Office of Inspector General\n                              Room NJ-1110\n                              600 Pennsylvania Avenue, NW\n                              Washington, DC 20580\n\n\n\n\n                                                 -9-\n\x0c\x0c\x0c\x0c'